GDPR Compliance Checklist to follow in a scalable MVP app

Looking for a GDPR compliance checklist for your mobile app? We’ve put together a GDPR checklist for developers to help you ensure your startup stays compliant.

As customers, we want to make sure our private and personal data is protected. We’ve all read horror stories about large businesses being victims of cybercrime, credit card information being made available for sale, and thieves stealing laptops containing valuable customer details.

The General Data Protection Regulation, or GDPR, was launched in 2018 to help protect the data of EU citizens. If you want to launch a scaleable MVP app, it’s important to know how GDPR applies to your startup.

We’ve put together this guide to GDPR compliance requirements, so you know what data you need to protect, and how to protect it. And remember, if you need a little extra help developing and launching a GDPR-compliant mobile app, the team at You are launched has the experience and skillset you need to succeed.

What is GDPR?

GDPR is a legal framework that was brought in across the EU to keep people’s personal data safe. It is often referred to as the toughest privacy and security law in the world. And with over 160,000 data breaches, it’s easy to see why!

By personal data, we mean anything that can potentially identify a living person, like a name, email address, home address, or a date of birth. Anything that can reveal a person’s health, political opinions, or sexual orientation can be defined as personal data too. It’s essential to think of personal data like a jigsaw puzzle. One small piece of data might not tell you much, but several pieces can come together to provide a lot of information about a person.

Ever get fed up with clicking those annoying cookie pop-ups on websites? These are related to GDPR too! Cookies can store data that can potentially identify you, like your location and IP address. GDPR and the ePrivacy Directive work together to give you the option to provide consent before storing or accessing cookies on your device.

The penalties for failing to adhere to GDPR can be costly. For a significant data breach, you can be fined up to €20 million / $22 million or 4% of worldwide turnover, whichever is higher.

In 2021, Amazon was fined $888 million after admitting to processing customer data incorrectly. In the same year, WhatsApp was fined $252 million for multiple breaches of GDPR.

It’s important to remember that it’s not just money at stake, but reputation too. As part of the GDPR regulations, organizations must contact those affected if a data breach could result in a high risk to their rights and freedoms. This can result in negative publicity and a loss of revenue.

One in five customers will never return to a business if it loses their personal data.

Does GDPR apply if I’m not based in the EU?

Yes. GDPR applies to EU citizens rather than countries. This means that if your mobile app handles the personal data of EU citizens and residents, you will have to adhere to GDPR regulations.

We’re often asked if GDPR applies to the UK, given that it’s not in the EU anymore. The UK adopted the ‘UK GDPR’ in 2020, which is almost identical to the EU version. While the UK is no longer part of the EU, the EU adopted an ‘adequacy decision’, which means that personal data can flow from the UK to the EU and vice versa, without issues. This expires in 2025, so the UK GDPR regulations may change after this time. The ICO handles GDPR in the UK.

If you’re based in the US and handle health information, you may also have to comply with the Health Insurance Portability and Accountability Act, or HIPAA. This guide will tell you if you’re affected, and what you can do to ensure your MVP app is compliant.

Is there a certification or accreditation I need to get to show GDPR compliance for my mobile app?

While there are certifications and accreditations you can get to demonstrate GDPR compliance, they aren’t mandatory requirements. 

Some examples of certification include Cyber Essentials, ISO 27001, and EuroPriSe. If you’re new to the world of GDPR, these accreditations can be helpful as they can give you a clear steer as to how to store, process, and audit your data.

Do I need to assign someone to manage the mobile app GDPR compliance?

Public authorities and businesses that carry out certain types of processing activities are encouraged to designate a Data Protection Officer. The Data Protection Officer’s responsibility is to ensure compliance and be the first point of contact if there are any issues. 

If you are a small startup, it’s highly likely that you don’t need a Data Protection Officer, although you can appoint one voluntarily if you choose. Or, you can just follow the GDPR compliance to-do list below.

Our GDPR compliance checklist

So we’ve looked at what GDPR is; however the next big question… how do you ensure your mobile app is compliant?

Here is our GDPR compliance checklist for developers, project managers, and startup founders. So, you would clearly know what to put into your GDPR compliance to-do list.

1. Keep data collection to a minimum

The easiest way to stay on the right side of the GDPR regulations is only to collect the minimum amount of data you need to make your app functional.

For example, take the date of birth. There may be some circumstances where you need to ask for a user’s birth date to ensure they are the appropriate age to use your app. However, if you don’t need this information, we recommend not asking for it at all. The less information you have to store and process, the better.

It’s also important to think about how long you will keep data for. The EU recommends that data is stored for the shortest time possible, in order to minimise the risk of a data breach.

With GDPR, app users can also request ‘the right to be forgotten’. This means an app user can request that their personal data be deleted. It’s important to bear in mind that there are some exemptions to this rule, for example, if the data needs to be kept to comply with a legal ruling or to carry out a task in the public interest.

2. Vet any third parties you use

You might use third-party providers to provide additional app functionality. For example, a payment processor to take in-app payments or an analytics platform to measure and monitor app performance. If they’re handling personal data, it’s essential to check these third parties to make sure they’re following GDPR compliant checklist.

You’ll be known as the ‘data controller’ when it comes to managing personal data, while any third-party providers you give access to data to are known as ‘data processors. While you will take the most responsibility, any data processors also need to comply with GDPR guidelines. 

When choosing a provider to work with, look at their commitment to GDPR. For example, do they have a privacy policy you can read? Do they have any accreditations or certificates? Have they been responsible for any GDPR breaches in the past?

You need to have what is known as a ‘data processing agreement’ in place with any data processors you work with. This identifies each party’s rights and obligations and assures you that the third parties you use will handle any personal data correctly. 

3. Encrypt your data

Personal data on your app should be encrypted. Encryption is a process that scrambles data so it looks like a random jumble of letters and numbers unless someone has the means to decrypt it. 

This means that if there is a data leak or breach, the data will not be able to be understood. While encryption won’t eliminate the risk of data leaks entirely, it will help minimize the risk of negative consequences.

4. Test before you launch

When developing a minimum viable product, you want to get it launched as soon as possible. However, you still need to carry out thorough testing beforehand to ensure that everything is secure.

This will mean you can identify any bugs or issues that may lead to data being easily accessible. The other benefit of testing your app is that you can check it’s secure, minimizing the risk of cyber attacks.

5. Create a privacy policy

It’s crucial to show app users how you will handle their data – a detailed privacy policy isn’t just nice to have; it’s essential.

Your privacy policy needs to include:

• The data you collect
• How you will use the data
• How you will store the data, and how long for
• Which third parties you work with, and what data is shared with them
• How you use cookies and the types of cookies you use
• What users are entitled to (for example, the right that you erase their personal data or correct any data that is incorrect)
• Who users can contact if they have a question or complaint

Keep your privacy policy up to date, and make sure it’s as easy to understand as possible. GDPR.EU has a free template you can download and amend to meet your needs.

6. Train your team

While an official accreditation is not a legal requirement, it’s crucial to ensure that everyone on your team knows how to keep personal data safe. With 88% of all data breaches caused by human error, GDPR training can provide you and your team with peace of mind.

There are lots of online courses that will introduce your team to the basics of data protection and what they can and can’t do with customer data. 

7. Know what to do in the event of a data breach

The last point in our GDPR compliance checklist is “prepare a backdoor”. It’s always best to prepare for the worst-case scenario. 

If you experience a breach of security that leads to the disclosure of data that can affect people’s rights and freedoms, you must report it to the European Data Protection Supervisor (or the ICO in the UK) within 72 hours. It’s okay if you don’t have all the information about the breach, as long as you act within the 72-hour timescale.

If a third party you work with experiences a breach of your data, they must report it to you as soon as they are aware.

Make sure that everyone in your team knows who to go to if they are made aware of a data breach. This will be your Data Protection Officer if you have one, or someone with knowledge of data protection, perhaps your CISO or HR Manager.

It also pays to have some template emails ready to go if you need to report a breach to the relevant users. This means you can act quickly and get ahead of any potential negative publicity.

We hope this GDPR compliance checklist has got you off to a good start when it comes to ensuring the personal data you handle stays safe and protected.

GDPR can be a complicated regulation to follow, with many permutations. However, by keeping data collection to a minimum, being transparent with app users, and asking for permission to process data, you’re well on the way to ensuring compliance.

Alternatively, in the US, there is another regulation, which is called HIPAA Compliance. Check it out here

Frequently Asked Questions (FAQ)